Cisco Secure Network Analytics

Proxy Log Configuration Guide 7.5.3

Introduction

To collect user information from network proxy servers for the Cisco Secure Network Analytics (formerly Stealthwatch) Proxy Log, you must configure the proxy server logs. The Flow Collector receives the logs, and the Manager (formerly Stealthwatch Management Console) displays the information on the Flow Proxy Records page. This page provides URLs and application names of the traffic within a network that passes through the proxy server.

Requirements

Before beginning, confirm that the following requirements are met:

Cisco WSA (14-5-1-016), Blue Coat, McAfee, and Squid are supported for this configuration. Ensure your proxy server is configured and operational within your network.
Confirm that the Flow Collector and the proxy use the same NTP server, or receive time from a common source, to ensure flow and proxy records can be matched.
Select the Flow Collector that gathers data from the exporters and endpoints you intend to investigate in the proxy logs. The IP address of the Flow Collector is required for configuration.
There is no specific size limit for syslog proxy messages. However, it is recommended that messages be kept shorter than the shortest Maximum Transmission Unit (MTU) along the path between the proxy and Flow Collector, typically 1500. This helps prevent packet fragmentation and improves reliability.
Proxy Log is not supported in High Availability (HA) mode.

Configuration Overview

Complete the following procedures:

Choose one of the following methods to configure your proxy server:
- Configuring the Cisco Web Security Appliance (WSA) Proxy Logs
- Configuring the Blue Coat Proxy Logs
- Configuring the McAfee Proxy Logs
- Configuring Squid Proxy Logs
Configuring the Flow Collector
Checking the Flows

Configuring the Cisco Web Security Appliance (WSA) Proxy Logs

Use this section to configure Cisco proxy logs to send to Secure Network Analytics.

Note: Cisco WSA proxy does not support Virtual IPs for adding the proxy device.

To set up the Cisco proxy log, complete the following steps:

Log in to the Cisco proxy server.
On the main menu, navigate to System Administration > Log Subscriptions. The Log Subscriptions page opens.
Click the Add Log Subscriptions button. The New Log Subscriptions page opens.
From the Log Type drop-down list, select W3C Logs. The available W3C Log fields will appear.
In the Log Name field, enter a name for the log.
From the Available Log Fields list, select Timestamp, and then click Add to move it to the Select Log Fields list.
Repeat the previous step for each of the following log fields in order:
- timestamp
- x-elapsed-time
- c-ip
- c-port
- cs-bytes
- s-ip
- s-port
- sc-bytes
- cs-usernames
- s-computerName
- cs-url
The Selected Log Fields list must contain these fields in the specified order, with no other fields present.
Scroll to the bottom of the page and select the Syslog Push option.
In the Hostname field, enter the Flow Collector IP address or its hostname to which the proxy will send logs.
Click Submit. The new log is added to the Log Subscription list.
Continue to the Configuring the Flow Collector section to set up your Flow Collector to receive syslog information.

Configuring the Blue Coat Proxy Logs

Use this section to configure Blue Coat proxy logs to send to Secure Network Analytics.

Note: The Blue Coat proxy version used for testing was SG V100, SGOS 6.5.5.7 SWG Edition.

Creating the Format

To create a new log format, complete the following steps:

In your browser, access your Blue Coat proxy server.
Click the Configuration tab.
In the main menu of the Management Console, click Access Logging > Formats.
Click New at the bottom of the page. The Create Format page opens.
In the Format Name field, enter a name for the new format.
Select the W3C Extended Log File Format (ELFF) option.
In the format field, enter the following string: timestamp duration c-ip c-port r-ip r-port s-ip s-port cs-bytes sc-bytes cs-user cs-host cs-uri
Click OK. Continue to the next section, Create a New Log.

Create a New Log

To create the logs, complete the following steps:

In the main menu, click Access Logging > Logs, and then select the new log format. The Log page opens.
Click the General Settings tab.
From the Log Format drop-down list, select the log created in Step 1.
In the Description field, enter a description for your new log.
Click the Apply button at the bottom of the page. Continue to the next section, Configure the Upload Client.

Configure the Upload Client

To configure the upload client, complete the following steps:

Click the Upload Client tab. The Upload Client page opens.
From the Client type drop-down list, select Custom Client.
Click the Settings button. The Custom Client settings page opens.
In the appropriate fields, enter the IP address of the Flow Collector and the listening port of the proxy parser. Note: SSL is not supported at this time.
Click OK.
For the Transmission Parameters, complete these steps:
- For the Encryption Certificate, select No encryption.
- From the Signing Keyring drop-down list, select no signing.
- From the "Save the log file as" option, select the Text file option.
- In the "Send partial buffer after" text box, enter 5.
- Click the Upload Schedule tab, and select the continuously option for uploading the access log.
- In the Wait between connect attempts field, enter 60.
- In the Time between keep-alive log packets field, enter 5.
Click the Apply button at the bottom of the page. Continue to the next section, Configuring the Upload Schedule.

Configuring the Upload Schedule

To configure the upload schedule, complete the following steps:

Click the Upload Schedule tab.
For "Upload the access log," select continuously.
Set "Wait between correct attempts" to 60 seconds.
Set "Time between keep-alive log packets" to 5 seconds.
Click the Apply button at the bottom of the page.

This completes the configuration for the Blue Coat proxy logs for the Flow Collector.

Further Configuration Notes

Confirm that the Flow Collector and Proxy use the same NTP server (or receive time from a common source for flow and proxy records to be matched).
Only one log output mechanism for the proxy is supported. If you are already exporting logs, you cannot capture and parse proxy records.
The UDP Director High Availability is not supported.

Configuring the Visual Policy Manager

Configuration of the Visual Policy Manager enables you to check that the proxy log is being sent to the Flow Collector.

In the Configuration tab page in the main menu, click Policy > Visual Policy Manager. The Visual Policy Manager opens.
Click the Launch button at the bottom for your configured log. The Visual Policy Manager for the log window opens.
Click Policy > Add Web Access Layer. The Add New layer screen opens.
Enter a name for the new layer, and then click OK.
Right-click Deny in the Action column and then click Set. The Set Action Object dialog opens.
Click New and select Modify Access Logging. The Edit Access Logging Object dialog opens.
Click Enable logging to.
Enter a name for your log and then select your log.
Click OK. The object is added.
In the Set Action Object dialog, click OK.
Click the Install policy button at the top right.
Click No and then OK for the following windows.
Launch the Blue Coat Visual Policy Manager again.
Right-click the logging tab and then select Enable Layer.
Click the Install Policy button. The Policy Installed opens.
Click OK.
Click the Statistics tab, and in the log menu, select your log.
In the main menu, click Access Logging, and then click the Log Tail tab. The Log Tail window opens.
Click the Start Tail button at the bottom of the page.
On the Statistics main menu, click System > Event Logging. This page will show if the log file is uploaded to the Flow Collector and the changes made. It indicates whether the proxy is connected to the Flow Collector.
Continue to the Configuring the Flow Collector section to set up your Flow Collector to receive syslog information.

Configuring the McAfee Proxy Logs

Use this section to configure McAfee proxy logs from the McAfee Web Gateway to send to Secure Network Analytics.

Ensure you have downloaded the XML configuration file for the McAfee proxy. Obtain the readme and Proxy Log XML configuration files from Cisco Software Central.
Log in to your Cisco Smart Account at https://software.cisco.com or contact your administrator.
The McAfee proxy version used for testing was 7.4.2.6.0 – 18721.

To set up the McAfee proxy log, complete the following steps:

Download the XML file, FlowCollector_[date]_McAfee_Log_XML_Config_[v].xml, and save it to your preferred location. The "Date" indicates the XML file's date, and "v" indicates the McAfee proxy version. Select the XML file matching your McAfee proxy's version number.
To download the file, follow these steps:
- Go to https://software.cisco.com, Cisco Software Central.
- Navigate to the Download and manage > Download and Upgrade section, then select Access downloads.
- Scroll down to the Product field.
- In the Select a Product field, type Secure Network Analytics and press Enter.
- Select Secure Network Analytics Virtual Flow Collector or another Flow Collector.
- Select Secure Network Analytics System Software > Configuration Files.
Log in to the McAfee proxy server.
Click the Policy icon, and then click the Rule Sets tab.
Select Log Handler, and then select Default.
Click Add > Rule Set from the Library.
Click Import from file, and then select the XML file.
Select mcafeelancopelog in the log handler that was just imported. Note: Ensure the rule set and the rule "create access logline" and "send to syslog" are enabled.
Click the Configuration icon at the top of the page.
On the left side of the page, click the File Editor tab, and then select the rsyslog.conf file.
At the bottom of the text box (beside the list of files), enter the following text: daemon.info @[FlowCollector IP Address:514]. Note: Ensure you select the Flow Collector that collects data from the exporters and endpoints you wish to investigate in the proxy logs.
Comment out the line: *.info;mail.none;authpriv.none;cron.none.
Add the following line: *.info;daemon.!=info;mail.none;authpriv.none;cron.none /var/log/messages.
Click the Save Changes button at the top right of the page.
Continue to the Configuring the Flow Collector section to set up your Flow Collector to receive syslog information.

Configuring Squid Proxy Logs

Use this section to configure Squid proxy logs to send to Secure Network Analytics. You can edit the files on the proxy server using SSH.

To configure the Squid proxy logs, complete the following steps:

Log into a shell for the machine running Squid.
Navigate to the directory containing squid.conf (typically /etc/squid) and open it in an editor.

Add the following lines to squid.conf to configure logging:

logformat access_format %ts%03tu %<tt %>a %>p %>st %<A %<st %<la %<lp %la %lp %un %ru
access_log syslog:user.6 access_format

Restart squid using one of the following commands:
- For init based systems: /etc/init.d/squid3 restart
- For systemd based systems: systemctl restart squid

Configure the syslog service on the Squid server to forward logs to the Flow Collector. This configuration depends on the Linux distribution and syslog service used.

For syslog-ng, add the following to /etc/syslog-ng/syslog-ng.conf:

# Audit Log Facility BEGIN
filter bs_filter { filter(f_user) and level(info) };
destination udp_proxy { udp("10.205.14.15" port(514)); };
log {
  source(s_all);
  filter(bs_filter);
  destination(udp_proxy);
};
# Audit Log Facility END

For rsyslog, add the following to /etc/rsyslog.conf:
```
:programname, contains, "squid" @10.205.14.15:514
```

Restart the syslog service:
- For init based systems: /etc/init.d/syslog-ng restart (for syslog-ng) or /etc/init.d/rsyslog restart (for rsyslog)
- For systemd based systems: systemctl restart syslog (for syslog-ng) or systemctl restart rsyslog (for rsyslog)
Note: Ensure you select the Flow Collector that collects data from the exporters and endpoints you wish to investigate in the proxy logs.
Continue to the Configuring the Flow Collector section to receive syslog information.

Configuring the Flow Collector

After configuring the proxy server, you need to configure the Flow Collector to accept the data.

To configure the Flow Collector to receive syslog information, complete the following steps:

Log in to your Manager.
Select Configure > Global > Central Management.
Click the ... (Ellipsis) icon for your Flow Collector, then click View Appliance Statistics.
Log in to the Flow Collector. The Flow Collector interface opens.
Click Configuration > Proxy Ingest. The Proxy Servers page opens.
Enter the IP address of the proxy server.
From the Proxy Type drop-down list, select your proxy server. Note: If your proxy server type is not listed, you will not be able to use proxy logs at this time.
If the Proxy Server:
- has only one IP address, enter the proxy server's IP address in the IP Address field. Leave the Telemetry IP Address field empty.
- has multiple IP addresses, enter the management IP address of the proxy server (syslog's message's source IP address) in the IP Address field. Enter the telemetry IP address of the proxy server in the Telemetry IP Address field.
In the Proxy Service Port field, enter the port number of the proxy server.
If you want the proxy server to trigger alarms, un-check the Exclude from Alarming check box.
Click Add.
Click Apply. The proxy server will appear in the Proxy Ingest table at the top of the page.
Continue to the Checking the Flows section.

Checking the Flows

To verify that you are receiving the flows, complete the following steps:

In the Flow Collector interface, click Support > Browse Files in the main menu. The Browse Files page opens.
Open the sw.log file.
Check that the webproxy count is increasing to confirm that you are receiving data.

Contacting Support

If you require technical support, please do one of the following:

Contact your local Cisco Partner
Contact Cisco Support
To open a case via the web: http://www.cisco.com/c/en/us/support/index.html
For phone support (U.S.): 1-800-553-2447
For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Change History

Document Version	Published Date	Description
1_0	August 7, 2025	Initial Version.

Copyright Information

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

	Cisco Secure Network Analytics Zeek Configuration Guide 7.5.3 This guide details the configuration of Zeek telemetry within Cisco Secure Network Analytics (formerly Stealthwatch) version 7.5.3 and later. It covers initial setup, advanced settings, verification steps, and evaluating Zeek events and logs.
	Cisco Secure Network Analytics SSL/TLS Certificates Guide v7.5.3 A comprehensive guide for managing SSL/TLS certificates on Cisco Secure Network Analytics appliances version 7.5.3, covering installation, replacement, and troubleshooting for enhanced network security.
	Cisco Secure Network Analytics System Configuration Guide 7.5.3 A comprehensive guide for configuring Cisco Secure Network Analytics (formerly Stealthwatch) version 7.5.3. This document details the setup and management of various appliances, including Managers, Data Nodes, Flow Collectors, Flow Sensors, and UDP Directors, to establish a secure and visible network environment.
	Cisco Secure Network Analytics: Security Events and Alarm Categories 7.5.3 Guide This document provides a detailed reference for understanding the various security events and alarm categories managed by Cisco Secure Network Analytics, formerly known as Stealthwatch. It serves as a crucial resource for identifying and responding to network threats.
	Cisco Secure Network Analytics Customer Success Metrics Configuration Guide 7.5.3 A comprehensive guide to configuring Customer Success Metrics for Cisco Secure Network Analytics (formerly Stealthwatch), detailing data collection types, metrics, and appliance configurations.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.5.2 This guide provides detailed instructions for installing Cisco Secure Network Analytics Virtual Edition appliances, including Manager, Data Store, Flow Collector, Flow Sensor, and UDP Director. It covers system requirements, deployment considerations, and configuration steps for network administrators across VMware, KVM, and Nutanix AHV environments.
	Cisco Secure Network Analytics Update Guide v7.5.3 Comprehensive guide for updating Cisco Secure Network Analytics (formerly Stealthwatch) appliances to version 7.5.3. Covers prerequisites, download procedures, backup, installation, and troubleshooting for network administrators.
	Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.5.2 Comprehensive installation guide for Cisco Secure Network Analytics Virtual Edition appliances (Manager, Data Store, Flow Collector, Flow Sensor, UDP Director) across VMware, KVM, and Nutanix AHV platforms. Covers prerequisites, deployment methods, and configuration steps.